The Mozilla Foundation released a new version of Firefox this week—release number 59. It treads further down the performance improvement path that November's Quantum release began, but its most interesting feature is a quality-of-life one: Firefox 59 users can prevent some websites from popping up requests to send notifications to your device or from requesting to use your camera unexpectedly.

Specifically, the update notes say:

Added settings in about:preferences to stop websites from asking to send notifications or access your device's camera, microphone, and location, while still allowing trusted websites to use these features

Numerous websites, especially news sites and other publishers, request to send these notifications so the notification center of, say, your Mac will be filled with news stories with enticing headlines for you to click, driving more traffic. It's annoying, and it muddies the waters of the Web browser's user experience. You can add trusted websites as exceptions, but all such requests will be blocked otherwise.

Developer Q&A site Stack Overflow performs an annual survey to find out more about the programmer community, and the latest set of results has just been published.

JavaScript remains the most widely used programming language among professional developers, making that six years at the top for the lingua franca of Web development. Other Web tech including HTML (#2 in the ranking), CSS (#3), and PHP (#9). Business-oriented languages were also in wide use, with SQL at #4, Java at #5, and C# at #8. Shell scripting made a surprising showing at #6 (having not shown up at all in past years, which suggests that the questions have changed year-to-year), Python appeared at #7, and systems programming stalwart C++ rounded out the top 10.

These aren't, however, the languages that developers necessarily want to use. Only three languages from the most-used top ten were in the most-loved list; Python (#3), JavaScript (#7), and C# (#8). For the third year running, that list was topped by Rust, the new systems programming language developed by Mozilla. Second on the list was Kotlin, which wasn't even in the top 20 last year. This new interest is likely due to Google's decision last year to bless the language as an official development language for Android. TypeScript, Microsoft's better JavaScript than JavaScript comes in at fourth, with Google's Go language coming in at fifth. Smalltalk, last year's second-most loved, is nowhere to be seen this time around.

The 2015 introduction of Google's AMP, "Accelerated Mobile Pages," has been deeply contentious within the Web community. AMP is based on HTML, JavaScript, and other related technologies, with a bunch of non-standard alterations and restrictions to, Google says, achieve a number of things that are useful, especially for mobile browsers.

AMP has three main parts: a restricted subset of HTML with custom AMP-specific tags for things like images, audio, and video; a special, mandatory JavaScript library that handles the custom tags, limited animations, and certain other features; and a caching proxy system, wherein Google validates AMP pages and serves them to clients itself.

The Khronos Group today launched Vulkan 1.1, the first big revision of its vendor-neutral, cross-platform GPU API.

The new revision standardizes a handful of features that were previously offered as extensions. The release rounds out the API, bringing parity with Microsoft's DirectX 12 in a few areas where it was absent, improving compatibility with DirectX 12, and laying the groundwork for the next generation of GPUs.

One feature in particular goes a long way toward filling a Vulkan gap relative to Microsoft's API: explicit multi-GPU support, which allows one program to spread its work across multiple GPUs. Unlike SLI and Crossfire of old, where the task of divvying up the rendering between GPUs was largely handled by the driver, this support gives control to the developer. With the addition, developers can create "device groups" that aggregate multiple physical GPUs into a single virtual device and choose how work is dispatched to the different physical GPUs. Resources from one physical GPU can be used by another GPU, different commands can be run on the different GPUs, and one GPU can show rendered images that were created by another GPU.

Enlarge/ The LLVM dragon logo, in honor of the dragon book. (credit: Apple)

Google's Chrome browser is now built using the Clang compiler on Windows. Previously built using the Microsoft C++ compiler, Google is now using the same compiler for Windows, macOS, Linux, and Android, and the switch makes Chrome arguably the first major software project to use Clang on Windows.

Chrome on macOS and Linux has long been built using the Clang compiler and the LLVM toolchain. The open source compiler is the compiler of choice on macOS, making it the natural option there, and it's also a first-class choice for Linux; though the venerable GCC is still the primary compiler choice on Linux, by using Clang instead, Google ensured that it has only one set of compiler quirks and oddities to work with rather than two.

But Chrome on Windows has instead used Microsoft's Visual C++ compiler. The Visual C++ compiler is the best-supported, most widely used compiler on Windows and, critically, is the compiler with the best support for Windows' wide range of debugging and diagnostic tools. The Visual Studio debugger is widely loved by the C++ community, and other tools, such as the WinDbg debugger (often used for analyzing crash dumps), are core parts of the Windows developer experience.

Microsoft released the first version of its quantum development kit and a new quantum computing programming language Q# last December. Today, the company has released an update that adds support for quantum development on macOS and Linux. Both the Q# language, and the company's quantum simulator, will run on these platforms in addition to Windows.

The new release of the simulator is much faster than the first release, with the company saying that it runs four to five times faster, especially on simulations with 20 or more qubits.

The quantum libraries and samples are now available under an open source license—the source to these was previously merely shared—enabling others to modify and extend them. Interoperability with existing libraries is also being improved: Microsoft is working on integrating Python support. On Windows, today's release includes a preview of the Python integration, which allows Q# programs to call Python code and vice versa.

Firefox 58, out today, continues to deliver Project Quantum, Mozilla's far-reaching modernization effort that's boosting the browser's performance, security, and maintainability. The initiative allows Firefox to take better advantage of modern multicore processors and makes the browser better suited to the demands of today's Web applications.

The two highlights from today's release are an optional Tracking Protection feature and new multithreading in the page rendering.

Firefox has had Tracking Protection in its Private Browsing mode for a couple of years. This actively blocks ads, analytics trackers, and social media sharing buttons, reducing the privacy exposure that these things can cause. Firefox 58 brings the option of using Tracking Protection even in the regular browser, blocking this content without having to use Private Browsing.

Google currently has two OSes on the market: Android and Chrome OS. The company is never one to leave a successful product alone in the marketplace, though, so it's also developing a third operating system called "Fuchsia." When we last checked in on the experimental OS in May 2017, calling it an "OS" was a bit of a stretch. We only got the system UI up and running on top of Android, where it then functioned like an app. The UI offered a neat multi-window system, but mostly it was just a bunch of placeholder graphics. Nothing worked.

It has been hard to check in on Fuchsia since. The Fuchsia system UI, which was written with a cross-platform SDK called "Flutter," quickly shut down the Android (and iOS) compatible builds. Fuchsia has a Vulkan-based graphics stack, and no emulator supports the new-ish graphics API. The only way to get Fuchsia up and running again was with actual hardware, and the only supported devices were Intel NUC PCs from 2015 and the Acer Switch Alpha 12 laptop.

There's a critical weakness in the widely used Transmission BitTorrent app that allows websites to execute malicious code on some users' computers. That's according to a researcher with Google's Project Zero vulnerability reporting team, who also warns that other BitTorrent clients are likely similarly susceptible.

Researcher Tavis Ormandy published the proof-of-concept attack code last week, along with a detailed description of the underlying vulnerability it exploited. Normally, Project Zero withholds publication of such details for 90 days or until the developer has released a fix. In this case, however, Ormandy's private report to Transmission included a patch that completely fixed the vulnerability. The researcher went ahead and disclosed the vulnerability last Tuesday—only 40 days after the initial report—because Transmission developers had yet to apply it. Ormandy said the publication would allow Ubuntu and other downstream projects to independently install the fix.

"I'm finding it frustrating that the Transmission developers are not responding on their private security list," Ormandy wrote in Tuesday's public report. "I suggested moving this into the open so that distributions can apply the patch independently."

In 2015, Microsoft announced its intent to bring OpenSSH, the widely used implementation of the secure shell (ssh) protocol used for remote system access and administration throughout the UNIX world, natively to Windows. Without too many people noticing, it turns out that the company has now done this. The Windows 10 Fall Creators Update adds a couple of optional features, with both client and server now available for installation (via Serve The Home).

Add the feature from the Optional Features settings page and, well... I think it works, but I'm not entirely sure because I can't make it work. It can't use my RSA key—Microsoft's issues list on GitHub says that only ed25519 keys are supported at present—but my ed25519 key isn't working either. I have seen people successfully use it with password authentication, but I don't have a password-authenticated server to actually test with right now. Both my keys work fine from Windows Subsystem for Linux ssh, so I'm confident that they're fine; the native Win32 program just doesn't like them for reasons that aren't at all obvious at this time.

Update: I rebooted both ends for unrelated reasons, and now the ed25519 key is working. I have no idea what changed.

]]>https://arstechnica.com/?p=1232375Chrome 63 offers even more protection from malicious sites, using even more memoryhttp://feeds.arstechnica.com/~r/arstechnica/open-source/~3/2GohQj8I6TE/
Thu, 07 Dec 2017 21:50:01 +0000https://arstechnica.com/?p=1228973

Enlarge/ You might need more of this stuff if you want to use Chrome's new Site Isolation mode. Well, not this stuff exactly; it's RAM from a very obsolete VAX computer. (credit: Kevin Stanchfield)

To further increase its enterprise appeal, Chrome 63—which hit the browser's stable release channel yesterday—includes a couple of new security enhancements aimed particularly at the corporate market.

The first of these is site isolation, an even stricter version of the multiple process model that Chrome has used since its introduction. Chrome uses multiple processes for several security and stability reasons. On the stability front, the model means that even if a single tab crashes, other tabs (and the browser itself) are unaffected. On the security front, the use of multiple processes makes it much harder for malicious code from one site to steal secrets (such as passwords typed into forms) of another.

Chrome's default model is, approximately, to use one process per tab. This more or less ensures that unrelated sites are kept in separate processes, but there are nuances to this set-up. Pages share a process if they are related through, for example, one opening another with JavaScript or iframes embedding (wherein one page is included as content within another page). Over the course of a single browsing session, one tab may be used to visit multiple different domains; they'll all potentially be opened within a single process. On top of this, if there are already too many Chrome processes running, Chrome will start opening new pages within existing processes, resulting in even unrelated pages sharing a process.

If you've been following the Linux world at all, you know this has been an entire year for spring cleaning. Early in 2017, Canonical stopped work on its homegrown Unity desktop, Mir display server, and its larger vision of "convergence"—a unified interface for Ubuntu for phones, tablets, and desktops.

And now almost exactly six years after Ubuntu first switched from GNOME 2 to the Unity desktop, that has been dropped, too. The distro is back to GNOME, and Canonical recently released Ubuntu 17.10, a major update with some significant changes coming to the popular Ubuntu Linux operating system.

In light of the GNOME switch, this release seems like more of a homecoming than an entirely new voyage. But that said, Ubuntu 17.10 simultaneously feels very much like the start of a new voyage for Ubuntu. The last few Ubuntu desktop releases have been about as exciting as OpenSSH releases—you know you need to update, but beyond that, no one really cares. Sure, there have been a few feature updates with each new numeric increment, perhaps some slightly more up-to-date GNOME and GTK components under the hood. But by and large, Ubuntu's Unity 7 desktop has been in maintenance mode for several years.

]]>https://arstechnica.com/?p=1209359Microsoft and GitHub team up to take Git virtual file system to macOS, Linuxhttp://feeds.arstechnica.com/~r/arstechnica/open-source/~3/HiJivPOkl5U/
Thu, 16 Nov 2017 23:15:03 +0000https://arstechnica.com/?p=1203581

One of the more surprising stories of the past year was Microsoft's announcement that it was going to use the Git version control system for Windows development. Microsoft had to modify Git to handle the demands of Windows development but said that it wanted to get these modifications accepted upstream and integrated into the standard Git client.

That plan appears to be going well. Yesterday, the company announced that GitHub was adopting its modifications and that the two would be working together to bring suitable clients to macOS and Linux.

Microsoft wanted to move to Git because of Git's features, like its easy branching and its popularity among developers. But the transition faced three problems. Git wasn't designed for such vast numbers of developers—more than 3,000 actively working on the codebase. Also, Git wasn't designed for a codebase that was so large, either in terms of the number of files and version history for each file, or in terms of sheer size, coming in at more than 300GB. When using standard Git, working with the source repository was unacceptably slow. Common operations (such as checking which files have been modified) would take multiple minutes.

The Global Cyber Alliance (GCA)—an organization founded by law enforcement and research organizations to help reduce cyber-crime—has partnered with IBM and Packet Clearing House to launch a free public Domain Name Service system. That system is intended to block domains associated with botnets, phishing attacks, and other malicious Internet hosts—primarily targeted at organizations that don't run their own DNS blacklisting and whitelisting services. Called Quad9 (after the 9.9.9.9 Internet Protocol address the service has obtained), the service works like any other public DNS server (such as Google's), except that it won't return name resolutions for sites that are identified via threat feeds the service aggregates daily.

"Anyone anywhere can use it," said Phil Rettinger, GCA's president and chief operating officer, in an interview with Ars. The service, he says, will be "privacy sensitive," with no logging of the addresses making DNS requests—"we will keep only [rough] geolocation data," he said, for the purposes of tracking the spread of requests associated with particular malicious domains. "We're anonymizing the data, sacrificing on the side of privacy."

Intelligence on malicious domains comes from 19 threat feeds—one of which is IBM's X-Force. Adnan Baykal, GCA's Chief Technical Advisor, told Ars that the service pulls in these threat feeds in whatever format they are published in, and it converts them into a database that is then de-duplicated. Quad9 also generates a whitelist of domains never to block; it uses a list of the top one million requested domains. During development, Quad9 used Alexa, but now that Alexa's top million sites list is no longer being maintained, Baykal said that GCA and its partners had to turn to an alternative source for the data—the Majestic Million daily top-million sites feed.

The Internet of Things is a powerful concept, especially in the industrial world—but it's also full of potential security disasters and hidden computing and networking costs. But what if all you had to do to create a secure network of distributed Linux systems—complete with location awareness and custom application support capable of supporting location-based applications like asset tracking, robotic delivery, and "smart rooms"—was to change the lightbulbs?

That's the concept behind Lunera's Smart Lamps. These LED-based replacements for fluorescent and other commercial lighting systems also have a full Linux server with Wi-Fi and Bluetooth, 2 gigabytes of RAM, and 2 gigabytes of Flash storage embedded in their end-caps. The Bluetooth capability includes iBeacon micro-location services—enabling retail, medical, and industrial location services. And the Wi-Fi "enables Wi-Fi network monitoring and also extending the Wi-Fi mesh," CEO John Bruggeman explained in an interview with Ars. "Wi-Fi and Bluetooth are like electricity and water for the digital experience."

Lunera had previously shipped LED replacements for commercial lighting system tubes and lamps, including fluorescent and high-pressure sodium (HPS) bulbs. But the new Smart Lamps carry quad-core, 700 MhZ ARM-based processors with memory and storage on the same die. Configurable with a mobile application and controlled through a cloud portal via a dedicated virtual private network, Lunera's smart lamps can sense each other and create a location-sensitive wireless network mesh using Bluetooth iBeacons—a mesh that can be mapped to CAD drawings of commercial facilities' lighting systems. And these lamps can run Docker containers, allowing anyone to develop applications that leverage location and Wi-Fi services and what Bruggeman describes as "ambient compute services."

NEW YORK—On the first day of its Connect developer conference, Microsoft announced that it is joining the MariaDB Foundation, the group that oversees the development of the MariaDB database.

Connect is Microsoft's other annual developer conference. The company's big conference, Build, takes place each spring and covers the breadth of Microsoft-related development, from Windows to Azure to Office to HoloLens. Connect has tended to have something of an open source, database, and cloud spin to it. At Connect last year, Microsoft announced that it was joining the Linux Foundation. In years prior, the company has used the event to announce the open sourcing of Visual Studio Code and, before that, .net.

MariaDB is a fork of the MySQL database that's developed and maintained by many of the original MySQL contributors. In 2008, Sun Microsystems bought MySQL AB, the company that developed and created MySQL. In 2009, Oracle announced its plans to buy Sun, creating fear in the community about MySQL's future as a successful, community-developed, open-source project. To ensure that the database would continue development in spite of the purchase, the MariaDB fork was created in 2009. The subsequent development of MySQL arguably justifies those fears; while Oracle still publishes source code, the development itself happens behind closed doors, with minimal outside contributions.

Mozilla is working on a major overhaul of its Firefox browser, and, with the general release of Firefox 57 today, has reached a major milestone. The version of the browser coming out today has a sleek new interface and, under the hood, major performance enhancements, with Mozilla claiming that it's as much as twice as fast as it was a year ago. Not only should it be faster to load and render pages, but its user interface should remain quick and responsive even under heavy load with hundreds of tabs.

This work is being motivated by a few things. First, the Web has changed since many parts of Firefox were initially designed and developed; pages are more dynamic in structure and applications are richer and more graphically intensive. JavaScript is also more complex and difficult to debug. Second, computers now have many cores and simultaneous threads, giving them much greater scope to work in parallel. And security remains a pressing concern, prompting the use of new techniques to protect against exploitation. Some of the rebuilt portions are even using Mozilla's new Rust programming language, which is designed to offer improved security compared to C++.

Earlier this year we wrote about Project Quantum, Mozilla's work to modernize Firefox and rebuild it to handle the needs of the modern Web.

Today, that work takes a big step toward the mainstream with the release of the new Firefox 57 developer edition. The old Firefox developer edition was based on the alpha-quality Aurora channel, which was two versions ahead of the stable version. In April, Mozilla scrapped the Aurora channel, and the developer edition moved to being based on the beta channel. The developer edition is used by a few hundred thousand users each month and is for the most part identical to the beta, except it has a different theme by default—a dark theme instead of the normal light one—and changes a few default settings in ways that developers tend to prefer.

That theme is a good place to start. The new user interface, named Photon, brings with it square tabs and a much more conventional main menu. The current curvy tabs were met with outrage on their introduction in 2014, so the reversion to square tabs will, frankly, probably be met with outrage, but the look is clean and precise. There's also a new tab page that adds recommended stories to the usual list of your most-visited sites.

Believe it or not, there's a crowdsourced, open source non-profit attempting to build a sea-launched suborbital rocket. Called Copenhagen Suborbitals, it even had access to a submarine. A club associated with the venture completed the sub in 2008, designed by Peter Madsen, a Danish inventor who is co-founder of the group. That submarine is now at the bottom of the sea, and Madsen is being held by Danish authorities on suspicion of "unlawful killing"—a precursor charge to manslaughter or murder.

The UC3 Nautilus was the third and largest submarine effort by the club, costing $200,000 to construct. It served as a workhorse for Copenhagen Suborbitals, helping push the group's Sputnik rocket launch platform into position on a number of occasions. Nautilus is—or was—powered by two diesel engines above the surface and by batteries underwater. While it could hold a crew of four underwater, all of its controls could be managed by a single person from its control room.

By 2011, the sub needed an overhaul. But the repairs required more than Copenhagen Suborbitals could afford to sink into the Nautilus. So in 2013, the group launched an Indiegogo campaign to get it back in the water. In a video, Madsen described the sub and the inspiration behind it.

Enlarge/ Meatpistol was supposed to be released at DEFCON. But Salesforce pulled the plug—and fired two security employees for presenting about it. (credit: DEFCON/Schwartz and Cramb)

At Defcon in Las Vegas last month, word rapidly spread that two speakers—members of Salesforce's internal "red team"—had been fired by a senior executive from Salesforce "as they left the stage." Those two speakers, who presented under their Twitter handles, were Josh "FuzzyNop" Schwartz, Salesforce's director of offensive security, and John Cramb, a senior offensive security engineer.

Schwartz and Cramb were presenting the details of their tool, called Meatpistol. It's a "modular malware implant framework" similar in intent to the Metasploit toolkit used by many penetration testers, except that Meatpistol is not a library of common exploits, and it is not intended for penetration testing. The tool was anticipated to be released as open source at the time of the presentation, but Salesforce has held back the code.

"Meatpistol is a framework for red teams to create better implants," and an "offensive infrastructure automation tool," Schwartz and Cramb explained in their presentation. It is intended to automate the grunt work of deploying new malware attacks for multiple types of targets. Rather than testing for common vulnerabilities as penetration testers often do, the internal red team Schwartz led until last month had the job of constantly probing and attacking Salesforce's systems. It even stole data like real adversaries, operating with nearly unrestricted rules of engagement internally.